octavia

Lack of SELinux policies prevents normal operation of a CentOS based amphora

Bug #1646125 reported by Nir Magnezi
6
This bug affects 1 person
Affects Status Importance Assigned to Milestone
octavia
Invalid
High
Unassigned

Bug Description

For example: haproxy fails to read configuration on a centos based amphora instance
This issue is caused by SELinux, which is Enforcing by default (as it should).

The error (for the above mentioned example):
amphora-a61d0e97-d68f-4246-9f84-b2aae7ed7560 haproxy: [ALERT] 334/114506 (2394) : Could not open configuration file /var/lib/octavia/2c699b77-3983-4d40-a425-cbad188f2067/haproxy.cfg : Permission denied

More SELinux Issues:

SELinux is preventing /usr/sbin/haproxy from read access on the file haproxy.cfg.
SELinux is preventing /usr/sbin/haproxy from getattr access on the file /var/lib/octavia/d842c875-6fea-49cd-ac49-9aa82d12237c/haproxy.cfg.
SELinux is preventing /usr/sbin/ip from mounton access on the directory /run/netns.
SELinux is preventing /usr/sbin/ip from mounton access on the directory /.
SELinux is preventing /usr/sbin/ip from mounton access on the directory /sys.
SELinux is preventing /usr/sbin/ip from mounton access on the directory /etc/sysconfig.
SELinux is preventing /usr/sbin/sysctl from getattr access on the filesystem /sys.
SELinux is preventing /usr/sbin/sysctl from write access on the file sysrq.
SELinux is preventing /usr/sbin/sysctl from getattr access on the file /proc/sys/fs/protected_hardlinks.
SELinux is preventing /usr/sbin/sysctl from write access on the file protected_hardlinks.
SELinux is preventing /usr/sbin/sysctl from getattr access on the file /proc/sys/fs/file-max.
SELinux is preventing /usr/sbin/sysctl from write access on the file file-max.
SELinux is preventing /usr/sbin/haproxy-systemd-wrapper from execute access on the file haproxy-systemd-wrapper.
SELinux is preventing /usr/sbin/haproxy from using the dac_override capability.
SELinux is preventing /usr/sbin/haproxy from using the fowner capability.
SELinux is preventing /usr/sbin/haproxy from create access on the sock_file d842c875-6fea-49cd-ac49-9aa82d12237c.sock.3477.tmp.
SELinux is preventing /usr/sbin/haproxy from setattr access on the sock_file 2c699b77-3983-4d40-a425-cbad188f2067.sock.2454.tmp.
SELinux is preventing /usr/sbin/haproxy from remove_name access on the directory 2c699b77-3983-4d40-a425-cbad188f2067.sock.2454.tmp.
SELinux is preventing /usr/sbin/haproxy from name_bind access on the tcp_socket port 80.
SELinux is preventing /usr/sbin/haproxy from listen access on the tcp_socket port None.
SELinux is preventing /usr/sbin/haproxy from write access on the directory d842c875-6fea-49cd-ac49-9aa82d12237c.
SELinux is preventing /usr/sbin/haproxy from using the setgid capability.
SELinux is preventing /usr/sbin/haproxy from using the setuid capability.
SELinux is preventing /usr/sbin/haproxy from write access on the sock_file 2c699b77-3983-4d40-a425-cbad188f2067.sock.
SELinux is preventing /usr/sbin/haproxy from link access on the sock_file d842c875-6fea-49cd-ac49-9aa82d12237c.sock.
SELinux is preventing /usr/sbin/haproxy from unlink access on the sock_file d842c875-6fea-49cd-ac49-9aa82d12237c.sock.
SELinux is preventing /usr/sbin/haproxy from add_name access on the directory d842c875-6fea-49cd-ac49-9aa82d12237c.pid.
SELinux is preventing /usr/sbin/haproxy-systemd-wrapper from read access on the file haproxy.cfg.
SELinux is preventing /usr/sbin/haproxy-systemd-wrapper from getattr access on the file /var/lib/octavia/2c699b77-3983-4d40-a425-cbad188f2067/haproxy.cfg.
SELinux is preventing /usr/sbin/haproxy from write access on the directory octavia.
SELinux is preventing /usr/sbin/haproxy from unlink access on the file d842c875-6fea-49cd-ac49-9aa82d12237c.pid.
SELinux is preventing /usr/sbin/haproxy from create access on the file 2c699b77-3983-4d40-a425-cbad188f2067.pid.
SELinux is preventing /usr/sbin/haproxy from using the kill capability.
SELinux is preventing /usr/sbin/haproxy from getattr access on the file /var/lib/octavia/2c699b77-3983-4d40-a425-cbad188f2067/haproxy.cfg.

I'll attached the full log to this bug.

The missing SELinux policies:
[root@amphora-a61d0e97-d68f-4246-9f84-b2aae7ed7560 system]# cat /var/log/audit/audit.log | audit2allow -R
require {
 type ifconfig_t;
 type haproxy_t;
 type haproxy_exec_t;
 type var_lib_t;
 type ifconfig_var_run_t;
 type sysctl_fs_t;
 type proc_security_t;
 type sysctl_kernel_t;
 type etc_t;
 class capability { setuid kill setgid fowner net_bind_service dac_override };
 class tcp_socket listen;
 class dir mounton;
 class file { execute read create execute_no_trans write getattr unlink open };
 class sock_file { rename write link setattr create unlink };
}

#============= haproxy_t ==============
allow haproxy_t var_lib_t:file { read getattr open };

#============= ifconfig_t ==============
allow ifconfig_t etc_t:dir mounton;
allow ifconfig_t haproxy_exec_t:file { read execute open execute_no_trans };
allow ifconfig_t ifconfig_var_run_t:dir mounton;
allow ifconfig_t proc_security_t:file { write getattr open };
allow ifconfig_t self:capability { setuid kill setgid fowner net_bind_service dac_override };

#!!!! This avc can be allowed using the boolean 'nis_enabled'
allow ifconfig_t self:tcp_socket listen;
allow ifconfig_t sysctl_fs_t:file { write getattr open };
allow ifconfig_t sysctl_kernel_t:file write;
allow ifconfig_t var_lib_t:file { write getattr read create unlink open };
allow ifconfig_t var_lib_t:sock_file { rename write link setattr create unlink };
corenet_tcp_bind_http_port(ifconfig_t)
dev_getattr_sysfs_fs(ifconfig_t)
files_filetrans_system_db_named_files(ifconfig_t)
files_mounton_isid(ifconfig_t)
files_mounton_rootfs(ifconfig_t)

Tags: auto-abandon
Revision history for this message
Nir Magnezi (nmagnezi) wrote :
Michael Johnson (johnsom)
Changed in octavia:
importance: Undecided → High
status: New → Confirmed
Revision history for this message
Nir Magnezi (nmagnezi) wrote :

@Michael, Following to our IRC chat I will try to incorporate the above mentioned policy to https://github.com/openstack/octavia/blob/master/elements/haproxy-octavia/os-refresh-config/configure.d/20-haproxy-selinux

This would be part of https://review.openstack.org/#/c/331841/

Changed in octavia:
assignee: nobody → Nir Magnezi (nmagnezi)
Revision history for this message
Nir Magnezi (nmagnezi) wrote :

Since this was eventually not part of https://review.openstack.org/#/c/331841/ , I'll submit a separate patch to fix this issue.

Revision history for this message
Lon Hohberger (lhh) wrote :

That audit2allow output is bogus. There's a domain transition missing.

Revision history for this message
Gregory Thiemonge (gthiemonge) wrote : auto-abandon-script

Abandoned after re-enabling the Octavia launchpad.

Changed in octavia:
assignee: Nir Magnezi (nmagnezi) → nobody
status: Confirmed → Invalid
tags: added: auto-abandon
To post a comment you must log in.
This report contains Public information  
Everyone can see this information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.